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Abstract — This paper considers tlie problem of end-end se- 
curity enliancement by resorting to deliberate noise injected in 
ciphertexts. The main goal is to generate a degraded wiretap 
channel in application layer over which Wyner-type secrecy en- 
coding is invoked to deliver additional secure information. More 
specifically, we study secrecy enhancement of DES block cipher 
working in cipher feedback model (CFB) when adjustable and 
intentional noise is introduced into encrypted data in application 
layer. A verification strategy in exhaustive search step of linear 
attack is designed to allow Eve to mount a successful attack 
in the noisy environment. Thus, a controllable wiretap channel 
is created over multiple frames by taking advantage of errors 
in Eve's cryptanalysis, whose secrecy capacity is found for the 
case of known channel states at receivers. As a result, additional 
secure information can be delivered by performing Wyner type 
secrecy encoding over super-frames ahead of encryption, namely, 
our proposed secrecy encoding-then-encryption scheme. These 
secrecy bits could be taken as symmetric keys for upcoming 
frames. Numerical results indicate that a sufficiently large secrecy 
rate can be achieved by selective noise addition. 

Index Terms — DES cipher, CFB mode, deliberate noise, linear 
cryptanalysis, Markov chain, wiretap channel, secrecy capacity. 



I. Introduction 

Traditionally, end-end secrecy delivery relies on symmetric 
or asymmetric encryption residing in the upper layer of a com- 
munication system, as well as sophisticated key management 
schemes JSJ. Without requiring a secure cipher, Wyner- 
type secrecy encoding provides a completely different solu- 
tion to link-wise secret message delivery by random binning 
tailored to some presumed wiretap channel models in physical 
layer pl, In this paper, we propose an encoding-encryption 
approach to end-end secrecy delivery by encoding over a 
degraded wiretap channel across super-frames transmitted in 
the application layer. The resulting wiretap channel is created 
by injecting controllable noise into ciphertext after encryption, 
and determined by both the adversary node's uncertainty 
about the key of cipher and its limited resources in launching 
cryptanalysis. Secrete information transmitted in such manner 
could be taken as keys for the subsequent super-frame. 

In the proposed framework, we are essentially exploring 
the techniques developed for physical layer secrecy encoding 
and cryptanalysis against symmetric block ciphers to serve 
our purpose of realizing end-end secrecy enhancement without 

'Y. Khiabani and S. Wei are witli tlie Department of Electrical and 
Computer Engineering, Louisiana State University, Baton Rouge, LA 70803, 
USA (Email: ysowtil@tigers.lsu.edu; swei@lsu.edu). Their work is supported 
in part by the Board of Regents of Louisiana under contract LEQSF(2009- 
ll)-RD-B-03. J. Yuan and J. Wang are with the Department of Electronic 
Engineering, Tsinghua University, Beijing, R R. China, 100084. (E-mail: 
jyuan, jian-wang@tsinghua.edu.cn) 



resorting to exogenous physical channel conditions. More 
specifically. Data Encryption Standard (DES) block cipher 
working in Cipher Feedback Mode (CFB) is taken to encrypt 
messages encoded using the Wyner type secrecy encoding 
scheme and then transmitted over multiple frames encrypted 
using different keys. Random binary noise is then deliberately 
added onto ciphertext, which are received by both legitimate 
user and an eavesdropper without any additional distortion. 
Such a hierarchical encoding-encryption framework allows 
us to transmit secrete messages over the resulting degraded 
wiretap channels in the application layer without making any 
assumption regarding end-end physical channel conditions. 

In order to analyze secrecy enhancement achieved by utiliz- 
ing our encoding-then-encryption approach, we need to study 
how Eve responds to the existing noise in her gathered data, 
and how that influences her cryptanalysis performance. In our 
case, Eve attempts to mount her linear attack with accumulated 
noisy ciphertexts, and thus applies a new verification strategy 
in the second phase of the linear attack while considering her 
possible resource constraints. Our statistical analysis shows 
that even when she uses a numerically optimized attacking 
strategy to obtain the key, it is likely for her to make mistakes 
in cryptanalysis. These possible failures of Eve over multiple 
frames make her channel degraded than the main channel, 
which can be further exploited by secrecy encoder to send 
additional secret bits over a super- frame. Therefore we could 
utilize generated secret bits over the last super-frame, whose 
secrecy is ensured by Wyner-type secrecy encoding scheme, to 
establish keys for next coming frames. The secrecy capacity of 
the system is computed assuming known channel states at Bob 
and Eve. Numerical results illustrate how deliberately added 
noise influences secrecy rate which can be further maximized 
at certain noise rate. It should be noted that the primary goal 
of our paper is to demonstrate through such a case-study 
how secrecy encoding and symmetric encryption could be 
put together to enhance end-end security, and thus we only 
provide capacity computation of the resulting channel towards 
the end without dealing with the implementation of a particular 
secrecy encoder ||5|. 

In literature, very few analytical approaches have focused on 
the impact of noisy ciphertexts on the attacking performance. 
In |6| different security schemes are analyzed from both 
reliability and secrecy perspectives in the presence of channel 
noise; nonetheless, they do not discuss what modified strategy 
Eve needs to take adaptively against degradation, and nor 
have they considered further leveraging adversary's failures 
in its cryptanalysis. In fact, our approach shares a common 
spirit with friendly jamming schemes proposed in physical 
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layer secrecy encoding Q, lH] where deliberate noise is in- 
troduced in physical layer to interfere both legitimate link and 
eavesdropped link to improve the secrecy rate region. Unlike 
these works where link-wise physical channel features are 
explored to create a degraded wiretap channel, we essentially 
explore the adversary's disadvantages due to its uncertainty 
about the secrete key bits and resulting deteriorated success 
rate in cryptanalysis in the presence of deliberate noise. 

In addition, deliberate additive noise in encryption process 
was used to improve security of ciphers in previous works 
ifTOl . UTl. The primary goals in these works were to enhance 
the secrecy of a cipher by random binning and additive 
noise, not the one we are interested in, namely, deploying 
encoding-then-encryption framework to enhance secrecy by 
further encoding over a resulting degraded wiretap channel. 
Random measurement noise has also been considered in side 
channel attacks (SCA) where information about cryptographic 
operation is leaked through some physical measurements con- 
ducted by an adversary lfT2l . In lfT3l . authors proposed to use 
multi-linear approximation utilized in Differential Power Anal- 
ysis (DPA)-like attacks, which is powerful due its robustness 
against noise, to attack a symmetric cipher hardware by power 
analysis 

The paper is organized as follows. In sections [ll] a pre- 
liminary description of CFB mode and linear cryptanalysis 
is provided. In section III the proposed security scheme 



is described in detail, and in IV we design an optimized 
verification strategy for Eve. In section|V]the main channel and 
wire-tap channel are modeled and then the secrecy capacity of 
the resulting degraded wiretap channel is found in section |VT] 
Finally, we present the numerical results in section VII and 
conclude the work in section I VIII I 



II. Review of Relevant Background 
A. Properties of CFB Mode of Operation with DES Cipher 

DES is a symmetric key encryption cipher which has 
plaintexts and ciphertext of size 64-bit with the key length of 
56 bit. Although DES is replaced by AES in some applications, 
it is still used and studied in many networks |14| and |l3]- 
CFB mode is one of the operational modes that can be used 
to derive a key stream from block ciphers like DES [16^. We 
assume that block size in CFB mode is 64-bit. As can be seen 
in Fig. [T[ at time n, encryption of previous ciphertext block 
C,i_i generates the key stream Sn which Xors with the the 
current 64-bit plaintext P„, to generate 64-bit ciphertext block 
Cn, i.e. Cn = Sn ® Pn where Sn = -Bk(C„-i). 

DES encryption is very sensitive to the noise introduced into 
ciphertexts or key bits. In particular, when one bit of the key or 
the input to the cipher is altered, it can deteriorate about half 
of the cipher output. This property is called avalanche effect 
IITTI . However, since S-boxes in DES cipher are not ideal, 
the resulted bit error rate by avalanche effect is not exactly 
0.5. This is also true in more advanced ciphers like AES as 
discussed in [18|. That is why in our analysis we assume that 
when there is an error in cipher input or in the key, each output 
bit is flipped with the probability of a. 
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Fig. 1. Cipher feedback mode (CFB) witli DES ciplier (6] 



B. Linear Cryptanalysis 

Linear cryptanalysis is a known plaintext attack which was 
first proposed by Matsui in |fT9) to attack DES. It is one of the 
most widely used attacks on block ciphers. This cryptanalysis 
approach exploits a linear equation with the probability of p 7^ 
i which involves some input and output bits of the DES cipher 
and some key bits. The quantity e = \p ~ ||, which is called 
bias, measures the correlation among plaintext, ciphertext and 
the key bits, and can be used as a criterion to distinguish the 
right key. Before attack. Eve has to gather a large number 
of plaintext/ciphertext pairs, and then for each possible key 
value compute its corresponding bias by counting the number 
of pairs that satisfy the linear equation. 

If we refer to m as the number of attacked key bits in 
linear cryptanalysis, the number of subkey candidates would 
be 2"* that need to be sorted from rank 1 to 2™ based on 
their corresponding probability biases. It should be noted that 
it is not necessarily always true that the right key ranks the 
highest, but it will be surely among high ranked candidates. 
Assume that adversary only checks top 2'"^" candidates 
during exhaustive search, and since each subkey candidate gets 
checked with all possible combinations of 56 — m remaining 
unattacked bits. Eve has to run exhaustive search with at most 
256-m encryptions for each candidate. As a result, the total 
number of 56 key bits examined in linear attack with bit 
advantage a is 2^^~". In 1201 . A. Selguk showed that when 
the total number of gathered plaintext/ciphertext pairs TV are 
large enough, the probability of success P,, defined as the 
probability that the right key is among 2^^^'^ top candidates, 
can be derived as 



Ps = $(2\/iVe - $"1(1 - 2- 



(1) 



where a is the bit advantage of the attack, e is the bias of the 
used linear approximation and $ is the cumulative distribution 
function of the standardized normal distribution. 

III. The proposed scheme for security system 

Fig. |2] illustrates the proposed scheme for secrecy improve- 
ment in which after encryption of the original message S, 
intentional noise is injected into it to generate a degraded wire- 
tap channel. Since we consider end to end secrecy, physical 
channel is assumed to be error-free. Therefore, the ciphertexts 
that Bob obtains only include errors caused by intentional 
noise introduced into encrypted data in application layer with 
bit error rate of 77. Moreover, because Alice and Bob agree 
on the key used for the current data frame. Bob can decrypt 
the obtained noisy ciphertexts and then apply the wiretap 
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channel decoding algorithm that allows him to recover the 
original message S with arbitrarily small error probability. As 
indicated in Fig. |2] there exists an oracle which is located 
after encryption and noise injection, whereby Eve can query 
and obtain consecutive plaintext/ciphertext pairs. However, due 
to the deliberate noise, the virtual oracle provides Eve with 
noisy ciphertexts distorted by a binary noise sequence with 
independent errors of rate 77. The main advantage that Bob 
has over Eve is that Bob and Alice share the same encryption 
and decryption key which is unknown to Eve. Therefore, Eve 
has to adopt an attack strategy that can exploit the gathered 
noisy data in order to guess the secret key. 

We assume that legitimate users initialize with a shared set 
of keys in a highly secure manner at the beginning. As a result, 
Alice can divide the whole data into equal size data frames, 
each including M number of data blocks of size 64-bit which 
is the block size used in CFB mode. In this way, the same key 
will be used for M 64-bit blocks in each frame for encryption 
and decryption at the receiver end. In this paper, we show that 
due to Eve's resource constraints, it is likely for her to make 
mistakes in assessing a frame key. As a result. Eve's channel is 
a degraded version of the main channel. We can leverage this 
advantage by applying Wyner secrecy encoding over super- 
frames to average over all possible failures by Eve. In Wyner- 
type encoder redundancy is added to correct errors that occur 
across the main channel, and randomness is added for keeping 
Eve ignorant across the wiretap channel [SI, ||5|. Note that this 
scheme can be generalized for other block ciphers like AES 
when they are used in operational modes like CFB or CBC 
(Cipher Block chaining). 

Another issue is key scheduling problem to provide highly 
confidential and distinctive keys for each frame while Bob is 
fully aware of them. Here, we can use traditional way of key 
management which is sophisticated and costly. For instance, 
master/session key scheduling approach which is proposed for 
DES cipher in IT], ||2J. In this technique, there exists a master 
key out of which frame keys as session keys can be originated. 
In our scheme, we propose a simpler approach which requires 
less expenditure. In this technique the secrecy required for 
frame keys is originated from secret bits delivered by Wyner 
secrecy encoder over the intentionally created wiretap channel. 
As a result, since encoder is performed over each super-frame, 
Alice can use input to the encoder to derive frame keys in 
next super-frame, for instance by applying a universal class 
of Hash functions 1211 . where the utilized function for each 
frame is publicly known. Bob is able to decode encrypted data 
and obtain the encoded message, and thus he will be able to 
derive keys for next frames. Note that the requirement for this 
approach is that there has to exist some root keys to initiate 
the keys for the first super-frame. 

IV. Eve's attack strategy and its analysis in noisy 

ENVIRONMENT 

This section studies the effect of the channel degradation on 
the performance of the linear cryptanalysis in terms of Eve's 
success rate. Since linear cryptanalysis is a known plaintext 
attack. Eve has to rely on the received plaintext/ciphertexts 
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Fig. 2. The proposed secuiity scheme based on the intentional noise 



pairs. Due to the existing errors in these ciphertexts, when 
Eve examines a key, she is unable to distinguish between 
errors caused by the received noisy ciphertext and the ones 
induced by using the wrong key. Thus, she needs to design a 
new verification approach whereby she can find the right key. 
It should be noted that this attack strategy with verification 
process has to be designed in a way that attack success rate 
gets maximized from Eve's perspective. 

A. Designed Verification Strategy for Attack 

Consider ciphertexts go through a binary symmetric channel 
whose cross-over probability is rj. As seen in Fig. [T] after 
Cn passes through channel, and Xors with channel noise, the 
received noisy 64-bit ciphertext Cn will have error with the 
probability of 1 — (1 — 77)®^. Therefore, Eve can not rely only 
on two successive ciphertexts to check the correctness of a 
key, because they might have errors that can lead her to make 
mistakes. Indeed, Eve has to try a number of successive pairs, 
using CFB mode in order to increase her success rate. 

In Fig. |3] two consecutive stages of CFB that are used to 
check the key are shown, where Pi and Ci are respectively the 
plaintext and ciphertext for the i*'* stage. Si is the encrypted 
result of Ci-i that after Xor with Pi generates C^. Provided 
that the used key is correct, Ci must be the same as Ci. 
However, due to the possible errors in Ci or Ci-i there might 
be some differences between Ci and Ci even though the used 
key is right. Therefore, Hamming Weight (HW) of Xor of C*'' 
and the ciphertext Ci denoted by Ei must be compared with 
a threshold denoted as r. Then, a key trial for the i*'' stage 
can be considered successful if this HW is less than r. 

Note that at stage i when there is an error either in the input 
to the cipher, i.e. Ci-i or in the key, there will be burst of 
errors in Si, which makes Ci totally different and in special 
case of a — 0.5 independent from Ci. Therefore, by choosing 
a small value for threshold r and comparing HW of Ci © Ci, 
Eve can know that either input to the cipher or the key is 
noisy. In Table |lj the key verification strategy for Eve is given 
that she needs to follow in the brute-force attack phase of 
linear cryptanalysis to test the correctness of the examined 
key ki. In this strategy. Eve examines each key candidate Nc 
times with Nc consecutive pairs. When at least one of trials is 
successful. Eve decides that the key is correct. That is because 
for a correct key, Nc is chosen such that she can make sure 
that with a high probability at least in one trial out of Nc tests, 
input to the cipher has no error that results in a success. 

Now the question is how we can choose the optimum value 
for r. When the tested key is right, at stage i, for error-free 
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TABLE I 
Verification strategy 



1- Pick number of consecutive pairs. 

2- Try Nc cliosen pairs over Nc chained CFB stages using the key k-i. 

3- A trial is successful if HW{Ei = ® Cl') < r. 

4- If there exists at least one successful event out of Nc trials, 
ki is the correct key, otherwise it is wrong. 
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Fig. 3. key verification process for Eve with two consecutive CFB stages 

Ci-i, Si will be error free and all the errors in will be 
caused by the possible errors in Ci. However, we can choose 
T such that with a high probability, the number of errors 
in Ci does not exceed this threshold. Hence, the minimum 
possible value for r has to be adjusted such that at stage i, 
the probability that the number of bit errors in Ci exceeds t 
becomes negligible. This probability is denoted by Pfauit 
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In the next step, we need to find the optimum value for A^^- 
Suppose that Eve tries a key to see if it is the right one, and 
let Kq be the hypothesis when the key is wrong and when 
it is right. Then, we introduce random variable Ai such that 
Ai = 1 defines successful trial at the i*^ stage that happens 
when Hamming weight of Ei is less or equal to r, and Ai = 
otherwise. By proper selection of r. We can make sure that 
whenever there is no error in the input to the cipher. Eve can 
recognize the right key. Hence, the probability of having a 
successful event at the z*^ stage given the right key will be 



Pi ^ Pr[A, = 1\K['] = P[Ci-iis eiTor-free] = (1 - ??) 
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All Nc tests will fail if in all of these trials, inputs to the 
ciphers have error. If it happens when the key is right. Eve 
will miss it, which has the probability of 



Pr 



(1 



(4) 



We call Pm key missing probability. Thus, we need to find 
minimum Nc such that keeps P,n below a threshold like T„i. 

Now we need to compute the probability that Eve mistak- 
enly admits a wrong key while examining a single candidate. 
When the used key is wrong due to the avalanche effect, C^ 
will have bit error rate of a, that after Xor with Ci with bit 
error probability of rj, results in output bit error rate of 7 as 



7 = a{l - 7]) + 77(1 — a). 



(5) 



Since to admit a wrong key at the r stage as the right one, 
HW of Ei must be less than r, the probability of a successful 



trial at this stage for a wrong key is 



P2 = Pr[A, = iK] 



E 

1=0 



64 



7X1-7) 



64-i 



(6) 



On the other hand. Eve accepts a wrong key when there 
happens at least one successful trial for it. Thus, the false key 
probability for a single candidate is 

Pf = 1 - {I - P2)^% (7) 

where P2 is computed by Eq. (|6]l. It may seem that Pp is very 
negligible for the case a — 0.5 in which 7 — 0.5. However, 
this probability can be aggregated over a large number of 
examined wrong candidates in linear attack, and can lead to 
an overall false key probability that can not be neglected, as 
will be seen in simulation results. 

B. Analysis of the Designed Attack Strategy for Eve 

In ||6l Yin et. al. showed that in noisy environment with bit 
error rate of 77, for linear attack on DES cipher, the probability 
bias of the new linear equation denoted by e, as well as the 
success probability of attacker Pg can be computed based on 
the linear probability bias of the original linear equation e and 
the number of obtained pairs by Eve N as 

Ps = $(2\/iV£ - $"1(1 - i-''-^)), 



where e = 2"+"(l - 77 - 0.5)"+"e 



(8) 



If adversary uses the improved linear analysis technique, she 
needs to use Matsui's linear equation for DES that requires u 
bits of plaintext and v bits of corresponding ciphertext where 
u + V = 26 to guess m = 26 key bits |22|. As discussed 



in subsection II-B in linear attack with bit advantage of a, 
the total number of examined keys is 2^^~". If the ciphertexts 
that Eve obtains are error-free, her success probability will 
be Pg which is the probability that the correct key is among 
top 2^^~" examined candidates. However, when her obtained 
ciphertexts are erroneous, it is still likely for her to obtain 
the frame key. Also, it is possible that she gets no frame key 
either right or wrong for decryption, which imposes her to 
erase the whole frame. These events have probabilities that are 
called total success probability and frame erasure probability, 
respectively, that can be computed based on the following 
theorem which is proven in appendix |A] 

Theorem 1: Consider a linear attack with bit advantage of 
a. Assume Eve's obtained ciphertexts contain bit errors with 
the rate of rj, and that she uses the designed strategy in brute- 
force step of the linear attack. When Eve examines the right 
key, she misses it with the probability of P^ given in Eq. Q, 
and when the key is wrong, she may accept it wrongly with the 
probability of Pp given in Eq. Let Pg, given in Eq. 
be the success probability when the ciphertexts are error-free. 
Then, Eve 's total success probability can be computed by 

Ps[l-P„ 



Pr = 



]~Ps{l-Pr, 



Pf256- 

On the other hand, frame erasure probability will be 



P. 



{I-PsXI-PfY +PsPrn{l 
[l-2'^'-'^PF][l-{l-P„,)Pg]. 



Pf 



(9) 



(10) 



5 



In addition, the probability that Eve accepts a wrong key in 
linear attack which we call wrong key probability denoted by 
Pyj can be derived as = 1 — P^ — Pe- 

Conclusively, we showed that there is possibility that Eve is 
not able to obtain any key, or to falsely accept a wrong key. 

C. Parameter Optimization of Adversary's Attack Strategy 

Eave's objective is to mount a successful attack, and in order 
to achieve this goal, she maximizes the success probability of 
the utilized linear attack Pc, given in knowing that her 
computational ability is restricted, and there is a constraint 
on the number of plaintext/ciphertext pairs that she can ac- 
cumulate. Namely, she can not perform more than DES 
encryptions. In the linear cryptanalysis designed for noisy 
environment, the number of all examined keys is 2^^^°^ and 
each one has to be checked for Nc times. Hence, in the worst 
scenario Eve has to run A^^S^^^" DES encryptions, which 
due to Eve's computational restrictions, should not exceed 
9. Moreover, we assume that before mounting attack on a 
frame of data. Eve has already gathered as many number 
of pairs as data storage capability and time limit allow her 
denoted by N^ax- As a result. Eve needs to design attack 
parameters including Nc, r and a, to maximize the overall 
success probability subject to the following constraint 



max Pc 

Na,T,a 



subject to > Nc.2 



56— a 



N < Nr, 



(11) 



TABLE II 

Parameter optimization algorithm for attack strategy: 



- Initialization: put t = 1, Nc = 1. 
Determine T„ 
also Ncmax as the maximum value for Nc 

- r <- T + 1 until Pfauii > Tf and r < 64 



and P, 



fault 



f 



if Pfmili < 7/ or T = 64 go to the next step 

- Nc^ Nc + 1 until P„i > Tm and Nc < Ncmax 

if Pm < Tm or Nc = Ncmax go to the next step 

- Compute ao = [56 — loggC^)! 



■21. JV^ 

Compute Pc for ao < a < 56 

choose a for which Pc has its largest value. 

Output T, Nc and a as attack parameters. 



From Eq. (j9]l it can be concluded that Pc falls as P„i 
increases. Since according to Eq. P„i mainly depends 
on Nc, we can define threshold T,n for it and find the 
minimum number of trials Nc for which P,,, remains below 
Tm. According to equations (j6]l and (j?]), to decrease Pp 
we need to reduce r as much as possible. If we define a 
threshold Tf for Pfauit, the minimum possible value for t 
according to our discussion in |IV-A| is the smallest r for which 
P fault remains below Tf. Furthermore, Eve has to choose an 
optimized value for a to have Pc maximized. The algorithm in 
Table |llj is designed to optimize the linear attack parameters 
to let Eve achieve the maximum success rate Pc, for a given 
rj subject to her restrictions. In this algorithm, P/;„,/, and Pm 
can be computed using equations Q, respectively. 

V. Main and Wire-tap Channel modelling 

In this section, we model main and wiretap channels in 
block level (with 64-bit input and 64-bit output), using a 
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Fig. 4. CFB encipheiing and decipheiing with channel error 



Stationary finite state Markov chain (MC). Since Eve might 
achieve the right frame key, get a wrong one or even get 
nothing and drop the whole frame, we also need to model her 
channel in frame level as a three state memoryless channel. 

A. Main Channel Modelling Using MC 

As it was described, the encrypted data goes through a 
BSC channel with cross over probability of rj, created by 
intentionally introduced noise in application layer We next 
model the CFB cipher, channel with deliberate noise and 
decipher altogether as a single channel, in order to analyze the 
effect of intentional noise at the output of decipher. Note that 
we assume there is no degradation in actual physical channel. 

Fig. |4] illustrates the encryption and decryption structure of 
CFB mode with DES cipher in the presence of introduced 
noise to ciphertexts. As shown in this figure, {Ci} and 
{Ci} are the sequences of transmitted 64-bit ciphertext and 
received noisy ciphertext blocks, respectively, and {Pi} is the 
sequence of decrypted blocks at time z for i = 1,2, . . .. In 
addition, {Zi} is the sequence of 64-bit blocks of intentional 
bit errors in channel Z| that are independent and identically 
distributed with Bernoulli distribution as Pr[Zl = 1] = 77 for 
j = 1, . . . , 64, such that Ci ^ Ci® Zi. As Fig. [4] indicates 
when Ci is noisy, it introduces errors with the rate of rj to the 
decryption output at time i, i.e. Pi. Moreover, since Ci-i gets 
encrypted with DES at time i, due to the avalanche effect, it 
induces bit error rate of a in P^. As a result, to characterize the 
channel error state in decryption output at time i, it is required 
to consider errors in both currently received ciphertext Ci and 
the previous one Ci-i. Hence, we need to define four states. 

Note that in a particular case when we consider a — 0.5, 
we still need to define four states. In this case, when Ci-i has 
error, due to the fact that half of the ciphertext will be in error, 
errors in Pj will be independent from Ci and consequently 
from the error state at time i + 1. However, when it has no 
error, errors in Ci will affect both decryption outputs at times 
i and i + 1, and therefore the current state will depend on 
the previous one. As a result, we have to take all four states 
into account, each with a different transition probability from 
the input plaintext block Pi denoted as 64-bit vector X to the 
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output Stored plaintext Pi denoted by 64-bit vector Y, and let 
E = X (BY denotes the transition error vector 

The channel states are defined as: state 5o, in which there 
is no error from vector X to the vector Y and happens when 
there is no error in Ci and (7,-1. State 5*1, which happens 
when there is at least one bit error in Ci, but no error in DES 
cipher input, Ci-i. State 52, which shows the situation in 
which there is at least one bit error in Ci-i without any error 
in Ci. In this channel state, due to the avalanche effect, each 
bit at the output of DES cipher, flips independently with the 
probability of a causing bit error probability of a in Y. State 
^3, in which both Ci and Ci-i have at least one bit error 

For state 5*0 we have Pr[ej = l\So] = and for 5*2, 
Pr[ej = l\S2] — Oi, where ej denotes the j*^ bit of E for 
j = 1,...,64. On the other hand, we should note that in 
states 5*1 and 5*3, output bits can not be treated independently 
because Si and ^3 are based on a given condition on the 
whole 64-bit ciphertext Ci. Let q denote the probability that 
there exists at least one bit error in Z, as 



64 



(12) 



The next lemma gives the input-output transition probability 
for states 5*1 and ^3, which is proven in Appendix [B] 

Lemma 1: Let X be the input plaintext vector to the CFB 
encryption mode and Y be the corresponding output of the 
decryption. If the generated ciphertexts go through a channel 
with cross over probability of rj, we denote the Hamming 
weight of the resulted error vector E with W{E). Then, for 
state Si the input-output vector transition probability will be 



Pr{Y\X, Si) 



q 





W{E) ^ 
W{E) = 



(13) 



where 01 is the avalanche bit error rate, and 7 is given in Eq. 
The transition probability in state S3 for all W{E) is 

PriY\X,S3)^ (14) 

q 

Next, we need to find state transition probabilities. For 
instance, when the state at time i — 1 was ^2, apparently Ci-i 
has been error free, so the only condition required to have 
state 5*0 happen at time i is to receive error free Ci which has 
the probability of 1 — g that is the transition probability from 
state 52 to Sq. Similarly, we can compute other state transition 
probabilities. Notably, since probability of occurrence of the 
current state only depends on the previous state, Bob's channel 
can be modeled as a four state MC that is depicted in Fig. |5] 
with the following state transition probability matrix: 



T = 



1-q q 0' 

l~q q 

l~q q 

1-q q 



whose elements demonstrate the transition probabilities be- 
tween different states. Note that in each state, input plaintexts 
undergo different channel conditions and error probabilities. In 
fact, the main channel can only be modeled as a BSC channel 




Fig. 5. Alice-Bob channel model as a four state MC 



in States Sq and 52 with cross over probabilities of and a 
respectively, whereas in other two states it can be modeled 



based on input-output transition probabilities in (13 1 and ( 14 1. 

In particular, since in MC model for Alice-Bob channel, 
all four states can be reached from one another, it is an 
irreducible MC with positive recurrent states 1,23.1 . Then, 
with a supposedly large frame size, MC can reach its stable 
condition. Since all states are positive recurrent, the set of 
equations P*T = P*, and P*.l — 1 have a unique solution as 
P* ~ [po, . . . jPs] where pk denotes the steady state probability 
of state 5fe for k e {0, 1, 2, 3} ESj. Where 1 is a 4 x 1 vector 
with all elements to be one, and P is steady state probability 
vector (SSPV). By solving this equation set, we get 



P*=[(l-g)2 q(l-q) q{l-q) 



B. Wire-tap Channel Modelling 



(15) 



In section IV-B we showed that adversary can obtain the 
right key of a frame with the probability of Pc by using 
optimized verification strategy in linear attack. To consider the 
worst possible case, we assume that before starting the attack. 
Eve has gathered the required number of pairs such that for 
each frame, she has already mounted her attack. When she 
has been able to achieve the correct key, there will not be 
any difference between the main channel and her channel, so 
her decrypted data in that frame undergoes the same channel 
condition as Bob's. As shown in Fig.|6] we refer to this channel 
state for Eve as the correct key state in frame level which 
occurs with the probability of Pc and can be modeled as a 
MC with four channel states in block level. 

Nevertheless, with the probability of Pe, Eve will not be 
able to get any key for the attacked frame and has to drop 
the whole frame. We refer to this state as erasure state. 
Moreover, Eve gets a wrong key with the probability of P^, 
such that after using a wrong key due to the avalanche effect 
in DES cipher, each bit in DES output will be independently 
flipped with the probability of a. This induced error Xors with 
intentional i.i.d. channel noise that has bit error probability of 
Tj. Consequently, in wrong key state. Eve's channel can be 
modeled as a BSC with cross over probability of 7 given in 
(|5]l. Conclusively, wiretap channel is a degraded version of the 
main channel that only in the correct key state can it be as 
good as Bob's channel. In fact. Eve's channel behaves like a 
pseudo two-dimensional Markov Chain (P2DMC) |24| with 
three memoryless states in frame dimension, each acting Hke 
another MC in block dimension as shown in Fig. |6] 
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Wrong key state 




Correct key 
State 



Fig. 6. Eve's hierarchical channel model 



VI. Secrecy capacity computation 

The next step is to quantify the secrecy capacity of the 
analyzed security system. The capacity of finite state Markov 
chains was calculated in |l23 and lEg). In |l27], lES and ||29l 
the capacity of the finite state Markov chains with binary 
symmetric channels associated in each state, was studied. In 
ll30l secrecy capacity of a wiretap channel modeled as a finite 
state MC is computed. We assume that the channel states 
are perfectly known to Bob and Eve, so what we compute 
is mutual information between the input X and output Y 
given the channel state, i.e. I{X;Y\Si). Since all four states 
of the main channel are in block level, in order to make Bob 
aware of the channel states in each block, Alice can use an 
error detection procedure and embed it in each block. For Eve, 
we assume that she is aware of this error detection procedure 
which allows her to beware of channel states in block level. 
In frame level, it is assumed that she knows the correctness 
state of each used frame key towards the end of each frame. 
Specially, this can be considered as the best scenario for Eve, 
providing us a lower bound for secrecy rate. 

The main purpose of secrecy capacity computation is to 
design a secrecy encoder which is applied ahead of the 
encryption in application layer over multiple frames. Namely, 
when the message is transmitted at a rate below the secrecy 
rate to Bob using a Wyner-type encoding technique llSTI . ||5], 
we can have an arbitrarily small error probability for Bob as 
well as the maximum entropy for Eve. In the asymptotic sense, 
by secrecy encoding, users utilize Eve's failures which cause 
her channel to be a degraded channel compared to Bob's. 

A. Capacity of the Main Channel 

When channel state information is available, the capacity 
is the average of capacities that each one of these MC states 
contribute to the overall channel capacity ||25l . Il27l : 



A'-l 
fc=0 



(16) 



where C{Sk) is the channel capacity in state Sk in bit per 
channel use. It can be computed as the maximum information 



rate between input and output vectors, X and Y , respectively, 
assuming that the current state Sk is known to Bob: 



C7(5fc) =max/(X;r|5fc)/64. 

Px 



(17) 



Note that our modeled four state Markov channel is uniformly 
symmetric because in any state, channel is output symmetric 
||25]| . For instance, in states Sq and 5*2, the channel behaves as 
a BSC channel. In states 5"! and S^, if we define the transition 
probability matrix as P^- — Pr{Y — j\X — i,Si) for i e 
y,i e X,l = 1,3, its rows and columns are permutations of 
each other because according to equations ( [T3] l and ( [T4| , its 
elements only depend on the HW difference of input-output 
vectors. As a result, also in states S'l and S3, the channel 
is output symmetric. In 1251 it is shown that for uniformly 
symmetric channel in which noise is independent of inputs, 
like our modeled Markov channel, capacity can be achieved 
with distribution which is uniform and iid. Accordingly, in this 
finite state Markov channel by uniformly distributed inputs, the 
mutual information will be essentially maximized. 

In state 5*0, channel is an error-free BSC with capacity of 1, 
i.e. C{Si) = 1, and in state ^2, it acts like a BSC with cross 
over probability of a and the capacity of C{S2) = 1 — ^1(0;), 
where h is binary entropy function. However, for S'l and S3 
in which decryption bit errors are not independent, we need 
to compute the mutual information between input and output 
vectors, namely I{X; Y\Si) for I = 1,3, that is 



I{X; Y\Si) = H{Y\Si) - H{Y\X, Si). 



(18) 



We assume that channel state is perfectly known to Bob. In 
the following theorem which is proven (in Appendix [C} using 
Lemma[T] we compute H{Y\X, Si) for Z = 1,3. 

Lemma 2: Consider our four state MC model for the main 
channel with input vector X and output vector Y. with equally 
likely input plaintexts, we can compute H{Y\X, Si) as 



H{Y\X, Si) = 



-1 



■log 



64 

E 

k=l 



64-fc 



q 



(19) 



and H{Y\X, S3) will be 



HiY\X,S3) 
-1^/64 

r 



• [7^(1 -7) 



64-fc 



■log 



a'^-(l~a)«4-fe(i_g)] 
064-^(1-9) 



(20) 



7)64-^-0*^(1 

q 

On the other hand, for both states S'l and S3, every output 
vector Yj can be generated by introducing all possible error 
vectors over their corresponding input vectors. Hence, since 
all 64-bit input plaintexts are uniformly distributed, the output 
will also be equally likely and uniformly distributed. Hence, 
for I = 1,3 the output entropy is H{Y\Si) — 64. Thus, by 
using Eq. ( 18 1 we can compute the mutual information for 
states Si and S3 as 

I{X;Y\Si)=6i-H{Y\X,Si), for ^ = 1,3, (21) 
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where H{Y\Si,X) is given in Eq. ([19}, and H{Y\S3,X) in 
Eq. ( pO] ). According to Eq. (17i the channel capacity in states 
Si for ; = 1,3 will be 



CiSi) 



I{X;Y\Si) 
64 



(bits per channel use). 



(22) 



where IiX;Y\Si) and /(X;y|53) are given in Eq. (21 1. We 



can analyze Alice-Bob channel as a finite state MC with steady 



state probabilities given in Eq. (15 1. Hence, according to Eq 



(16 1 Bob's channel capacity Cb as the average of the state 



capacities can be computed as 

Cb = {1- q? + q{l - q)[C{Si) + 1 - h{a)] + q^C{S^). 

(23) 

where a is the average bit error rate caused by the avalanche 
effect. In addition, C{Si) and C{S'i) are given in Eq. (22 1, 
implying that these capacities mainly depend on q, 7, a and 
?7 . As a result, the main channel capacity depends on q and 7 
which according to Eq.'s ( 12 1 and (j5]l are themselves functions 
of ry, for a fixed a. Therefore, Bob's channel capacity mainly 
depends on the original channel cross over probability 77. 

B. Secrecy Capacity of the Wire-tap Channel with Noise 

As discussed in subsection |V-B| wiretap channel is a de- 
graded version of the main channel that only in correct key 
state can be as good as Bob's channel. In the worst possible 
scenario, we assume she is perfectly aware of channel states. 
When Eve with the probability of Pc obtains the right key, her 
channel capacity will be the same as Bob's, i.e. Cb, but when 
with the probability of gets a wrong key, her channel will 
turn into a BSC with the cross over probability of 7, which 
has the capacity of 1 — /i(7). Note that, the erasure state does 
not contribute to the capacity. Hence, Eve's capacity will be 



CE^P-^{l-h{^)) + P,CE 



(24) 



where Cb is given in Eq. ( [23] l. In the following theorem 
secrecy capacity is found whose proof is given in Appendix [P] 
Theorem 2: The secrecy capacity for the created wire-tap 
channel with the described channel models for Bob and Eve 
will be 



Cs = Cb{1 - Pc) -{l-Pe- Pc){l ~ h{^)). 



(25) 



This result implies that secrecy capacity mainly depends on 
Pc, Pe and Cb- Due to the fact that all P^ Pe and Cb highly 
depend on the channel error rate 77, the main parameter that 
impacts secrecy capacity of the system is intentional noise. 
Namely, if Alice can control the cross over probability of the 
channel, it is possible to adjust secrecy rate of the system. 
Note that Alice applies secrecy encoding over multiple frames 
in order to statistically average over Eve's possible failures in 
frame level, and also to enable Bob to do the error correction 
coding when burst of errors occurs. Basically, Alice and Bob 
has to use a well designed wiretap channel encoder, based 
on the computed secrecy rate in Eq. ( [25] l. Notably, the main 
issue in this scheme is delay that is imposed on the system 
by applying multiple frame encoding that makes this scheme 
applicable only for delay tolerant communication. 



VII. Numerical Results 

The main objective of numerical analysis is to evaluate the 
effect of varying rj on secrecy rate in order to see if there 
exists an optimum value for rj for which secrecy capacity 
reaches its maximum. In simulations, we assume that Alice by 
controlling 77 is able to generate a degraded wiretap channel. In 
addition, we assume that the whole data is divided into equal 
size frames, each containing as many number of 64-bit data 
blocks as four-state MC reaches its steady state, such that for 
each frame, encryption and decryption key remains constant. 

Let us assume that 9 = 2*® is the maximum number of DES 
encryptions that Eve can perform to establish an attack on each 
frame. Because for instance, with a CPU having speed of 2.6 
GHz, it takes for about 30 hours for her to accomplish these 
many encryptions. For attack optimization algorithm proposed 
in section |1V-C[ the initial values selected for n is no = 20, 
maximum possible value for Nc is chosen Ncmax — 100, 
and the thresholds Tj and are set to 10^^. Furthermore, 
we chose a as avalanche effect bit error rate to be 0.5. To 
evaluate the effect of noise variation on the performance of 
the system, we changed -q from 10^"* to 0.05 with 500 steps 
of size 10^''. Moreover, suppose that Eve is able to detect these 
step size changes on 77 by probing the channel and each time 
is able to optimize all attack parameters using the parameter 
optimization algorithm. We assume that Eve is not allowed 
to use more than N^ax = 2*^ number of pairs, and prior 
to attack on each frame, she obtains the required number of 
plaintext/ciphertext pairs and mounts her attack. 

In Fig. [7] overall success probability, wrong key and frame 
erasure probabilities are depicted as functions of rj for fixed 
number of pairs equal to 2*^. As this Figure displays with 
rising ?/, Pc is monotonically decreasing, reaching zero for 
rj > 0.017, while wrong key probability P„, goes to 1 for 
77 = 0.05 because of increase in Pp. As discussed in section 
|IV-A| the obtained results for P^ show that it becomes consid- 
erable for some channel conditions and can not be ignored. In 
Fig. |8] curves of main and wiretap channel capacities as well 
as the secrecy capacity are drawn as functions of 77. This Fig- 
ure shows that Alice-Bob channel capacity is monotonically 
decreasing with increase in rj while secrecy capacity Cs rises 
up to its maximum value 0.3442 for 77 = 0.0125 and then falls. 
Indeed, this cross over probability can be considered optimum 
value for which secrecy capacity achieves its maximum. 

TABLE III 

Optimized attack parameters using proposed algorithm in IIV-CI 



V 


0.001 


0.005 


0.01 


0.0125 


Nc 


5 


9 


16 


20 


T 


3 


5 


6 


7 


a 


23 


24 


24 


27 


Pc 


0.9999 


0.9636 


0.5014 


0.1618 



In Table [Hi] optimized attack parameters using our proposed 
algorithm for four different 77's, i.e. 0.001,0.005,0.01 and 
0.0125 are given. According to this table, with increase in rj, 
the required number of trials Nc for each key increases from 
5 to 20 in order to keep P,„ below the threshold T!,„ — 10^^ 
when it rises. The same holds for parameters a and r which to 
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0.01 0.02 0.03 . , 0.04 0.05 

BSC channel cross over probability (eta) 



Fig. 7. Overall success probability, frame erasure and wrong key probabilities 
versus channel cross over probability 







Eve channel capacity 

Secrecy capacity 


\ 






0.3442 \ \ 


^.0125 





0.01 0.02 0.03 0.04 0.05 

BSC channel cross over probability (eta) 

Fig. 8. Main channel and Eve's channel capacities and secrecy capacity for 
varying channel cross over probability 



achieve the determined thresholds, have to increase with rising 
channel noise to maximize the overall success probability. 
According to our numerical results, Alice can adjust channel 
conditions by introducing deliberate noise in application layer 
to have r\ = 0.0125, to achieve the desirable secrecy capacity. 

VIII. Conclusion 

In this paper we showed that by introducing tunable noise 
in application layer upon the encrypted data, even though Eve 
utilizes an optimized attack strategy, the secrecy rate of the 
system can remarkably increase. In fact, Ahce can achieve a 
sufficiently large secrecy capacity by adjusting the cross over 
probability of the channel using deliberate noise. This secrecy 
rate guarantees a highly secure and reliable communication 
using wiretap channel coding in application layer over multiple 
frames. For secrecy capacity computation we tailored the 
known channel states scenario. In our future work, we will 
focus on the unknown state case and also will consider a more 
generic cipher. In addition, we will work on more detailed 
design of a secrecy encoder in this framework. 

Appendix A 
Proof of Theorem[T] 

Proof: Suppose that all possible 2^^~" key candidates 
are arranged as ki,k2, ■ ■ ■ , fc256-a from the lowest rank to the 
highest. Let Hi be the hypothesis that ki is the original key 
and Q, — 1 be the event that Eve decides that fc, is correct. 



We define a Bernoulli random variable B which is equal to 1 
when the right key is among top top 2^^^" candidates, and 0, 
otherwise. Thus, Pr[B = 0] = 1 - and Pr[B = 1] = Ps- 
Let Pc be the total success probability for Eve. Note that when 
B = 0, the right key will not be tested and consequently can 
not be found. Therefore, we have 



Pr 



256-a 

E 



Pr[g, = hH,\B = l].Pr[B = l]. 



(26) 



The probability that Eve can realize the right key ki is 

Pr[g, = l,H,\B = 1] = Pr[g, = l\H,,B = \\.Pr[H,\B = 1]. 

For Eve to be able to find the correct key at rank i, since 
she starts the test from upper ranks to the lower ones, there 
should not be any false key acceptance for ranks higher than 
i, as well as a key missing event for rank i. Hence, 



Pr[g,^l\H„B = l] = {l-PFy' 



\1-Pm)- (27) 



Moreover, Decisions about all 2'^^^"- keys are independent, 
and all of the tested keys are equally probable to be the right 
one, i.e. Pr[Hi\B = 1] = ^ss^- Therefore, by using Eq.'s 



( 26 1 and ( [ZT] ), we obtain Eq. (j9]) for total success probability. 

The next step is to compute the frame erasure probability. 
Assume that the right key is ki and is located among top 2^^^° 
candidates. In order to obtain no key. Eve should not have any 
false key admission for kj, j ^ i for i,j = 2^^ — 2^^^° + 
1, . . . , 2^^, i.e. top 2^^~" candidates except the right key itself, 
and in addition to that she has to miss the right key fc,. When 
ki is not among top candidates, since it will not be examined. 
Eve gets nothing provided that there has been no wrong key 
acceptance event for top 2''^^'' tested candidates. As a result, 
frame erasure probability can be computed according to Eq. 



( 10 1. By a similar technique, we can prove that the wrong key 
probability is P^ — 1 — Pe — Pc- ■ 

Appendix B 
Proof of Lemma[T] 

Proof: We need to compute vector transition probabilities 
between all possible input and output vectors X and Y for 
states 5*1 and 5*3. Hence, for fc = 1, 3 

Pr[Y\X, Sk] = Pr[X ® Y\X, Sk] = Pr[E\Sk], (28) 

where E is the decryption error vector which is bit-wise Xor 
of input and output vectors. The last equality is because E 
depends on channel errors in previous and current ciphertexts, 
so given the state, it is independent from input vector X. To 
analyze states Sq and Si, we define two events, A and B as 

A : There exists at least one bit error in Ci 

B : There exists at least one bit error in Ci^i. 

As a result. Si = AO B, and we can write 

PK£|50^Pr(£|A.S).^r»^. (29, 

The fact that events A and B are caused by two independent 
channel error vectors Zi^i and Zi implies that A is indepen- 
dent of B and its complementary, i.e. Pr{A\B) — Pr{A) = q. 
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When event B has not occurred, since only Ci can induce bit 
errors with rate of rj into the stored plaintext, the probability 
that a particular decryption error vector E with Hamming 
weight of W{E) takes place will be 

Pr{E\B) = ry'^^^Hl - r^ f^-^(E). (30) 

In state Si, HW of error vector E can not be zero because 
we know that the only source that can induce error at stage i 
is Zi that surely has a non-zero bit. In this case, given an error 
vector E with W{E) 7^ and knowing that event B did not 
occur, we can infer that this error is induced by error in Q, 
hence event A has certainly occurred, i.e. Pr{A\E, B) = 1. 
Thus, using equations (28 1, (29 1 and ([30)1, we can obtain the 



The second equality is resulted from Eq. (28 1 for Ei^j — X, 



13 1 



input-output transition probability in Si as in Eq. 

On the other hand, according to its definition, state S3 takes 
place when both events A and B happen, i.e. S3 = An B. 
Therefore, 



Pr{E\S3) = Pr{E\A,B) 



Pr{E\B)Pr{A\E,B) 



(31) 



Pr{A\B) 

Knowing that B occurred, implies that there exists one bit 
error in DES input, which induces independent bit errors with 
the rate of a in cipher output and consequently in P^, but also 
there is independent bit error sequence caused by Ci that has 
the rate of 77. Since the decryption error vector Ei is a result 
of Xor of these two error sequences, we can say that Ei is a 
sequence of random bits with i.i.d. distribution and bit error 
probability of 7 which is given in Eq. (j5]l. As a result, 

(32) 



\M-W{E) 



SO we can write 



Pr{A\E, B) = l- Pr{A\E, B) = 1 



Pr{E\A,B)Pr{A\B) 
Pr{E\B) 



(33) 

When A has not occurred. But B has, the only error source 
will be the cipher input that induces independent bit errors 
with the rate of a into the output. Consequently, we have 

Pr{E\A, B) = - af^-'^^''\ 



(34) 



Then, using equation ( [32| ), ( p3| ) and (34i gives us 



Pr{A\E,B) = 1 



9) 



(35) 



Finally, according to equations (|28]l, ( [3T| i and ( [35| the input- 
output transition probability in state S3 for all W{E) can be 
obtained using Eq. ([T4]i. ■ 

Appendix C 
Proof of Lemma[2] 

Proof: If we assume that all 2^^ possible input plaintexts 
are equally likely, for Z = 1 , 3 we can write 

H{Y\SuX) ^-Y.T. ^P^Y = ^^1^ = (36) 
i J 

AogPr{Y = Y,\X = X,,Si) 

264 

= -Y^P^iE = Ej\Si)\ogPr{E = Ej\Si). 



Yj as the decryption error vector Furthermore, for state Si 
as discussed in subsection V-A Hamming weight of the error 
vector E can not be zero. Thus, we can take Ei as a 64-bit 
zero vector and exclude it from this summation. Then, using 



Eq. (13 1 brings about the following result 

264 

H{Y\Si,X) =— ~ r/)^^-'^(^^-) 

-^W(E,)(^l _ ^^Gi-W(E,) 



■log 



(37) 



We know that out of all 2^^ error vectors, the number of 
possible vectors with Hamming weight of W or vectors with 
W non-zero bits is the number of possibilities of choosing W 
bits out of 64 bits which is equal to ly-combinations from 64 



elements. Finally, Eq. (37 1 can be rewritten as Eq. (19 1. Note 



that we excluded zero weight case, i.e. fc = 0. 

For state S3, we can compute H{Y\S3,X) using Eq. (36l 
for ^ = 3. In this case, j = 1 is not excluded because unlike 
state Si in state S3, it is possible to have decryption error 

similar 



vector El with zero weight. Finally, by using Eq. ( 14 
to the entropy in 5*1, we obtain H{Y\S3,X) in Eq. 



20 1 



Appendix D 
Proof of Theorem|2] 

Proof: It is shown in 1321 that when the mutual informa- 
tion between Alice at Bob and the mutual information between 
Alice and Eve are individually maximized by the the same 
input distribution, and the main channel is less noisy that the 
wiretap channel, the secrecy capacity can be computed as the 
difference of two capacities. In our channel model, since both 
Bob and Eve's mutual information with Alice are maximized 
with uniformly distributed inputs X, and wiretap channel is 
noisier that the main channel, the secrecy capacity will be, 
Cs = Cb — Ce- It gives us the final result in Eq. ( [25] l. ■ 

References 

[1] W. R Ehisam, S. M. Matyas, C. H. Meyer, and W. L. Tuchman, 
"A cryptographic key management scheme for implementing the data 
encryption standard," IBM Systems Journal, vol. 17, no. 2, pp. 106- 
125, 1978. 

[2] B. Schneier, Applied cryptography (2nd ed.): protocols, algorithms, and 
source code in C. New York, NY, USA: John Wiley & Sons, Inc., 
1995. 

[3] A. Wyner, "The wire-tap channel," Bell Syst. Tech. J., vol. 54, pp. 1355- 
1387, 1975. 

[4] I. Csiszar and J. Komer, "Broadcast channels with confidential mes- 
sages," IEEE Trans. Inform. Theory, p. 339348, May 1978. 

[5] A. Thangaraj, S. Dihidar, A. Calderbank, S. McLaughlin, and J. MeroUa, 
"Applications of LDPC codes to the wiretap channel," IEEE Transac- 
tions on Information Theory, vol. 53, no. 8, pp. 2933 -2945, Aug 2007. 

[6] R. Yin, S. Wei, J. Yuan, X. Shan, and X. Wang, "Tradeoff between 
reliability and security in block ciphering systems with physical channel 
en-ors," Proc. IEEE Military Commun. Conf (MILCOM), 2010. 

[7] S. Goel and R. Negi, "Guaranteeing secrecy using artificial noise," 
Wireless Communications. IEEE Transactions on, vol. 7, no. 6, pp. 2180 
-2189, June 2008. 

[8] J. Vilela, M. Bloch, J. Barros, and S. McLaughlin, "Wireless secrecy 
regions with friendly jamming," Information Forensics and Security, 
IEEE Transactions on, vol. 6, no. 2, pp. 256 -256, June 2011. 

[9] M. J. Mihaljevic and H. Imai, "An approach for stream ciphers design 
based on joint computing over random and secret data," Computing, 
vol. 85, pp. 153-168, 2009. 



11 



[10] M. Willett, "Deliberate noise in a modern cryptographic system (cor- 
resp.)," IEEE Transactions on Information Theory, vol.26, no. I, pp. 102- 
104, 1980. 

[11] M. Mihaljevic and F. Oggier, "A wire-tap approach to enhance security 
in communication systems using the encoding-encryption paradigm," 
IEEE 1 7th International Conference on Telecommunications (ICT), pp. 
83-88, April 2010. 

[12] P. C. Kocher, J. Jaffe, and B. Jun, "Differential power analysis," in 
Proceedings of the 19th Annual International Cryptology Conference 
on Advances in Cryptology, ser. CRYPTO '99. London, UK: Springer- 
Verlag, 1999, pp. 388-397. 

[13] T. Roche, V. Lomn, and K. Khalfallah, "Combined fault and side-channel 
attack on protected implementations of AES," CARDIS, pp. 65-83, 2011. 

[14] Y. Liu, P Chen, G. Xie, Z. Liu, and Z. Li, "The design of a low- 
power asynchronous DBS coprocessor for sensor network encryption," 
in International Symposium on Computer Science and Computational 
Technology (ISCSCT), vol. 2, Dec 2008, pp. 190-193. 

[15] W. Zibideh and M. Matalgah, "Modified-DES encryption algorithm with 
improved BER performance in wireless communication," in Radio and 
Wireless Symposium (RWS), 2011 IEEE, jan. 2011, pp. 219 -222. 

[16] Y. Xiao, H. Chen, X. Du, and M. Guizani, "Stream-based cipher 
feedback mode in wireless error channel," IEEE Trans. Wireless Comm., 
vol. 8, pp. 622-626, 2009. 

[17] H. Heys and S. Tavares, "Avalanche characteristics of substitution- 
permutation encryption networks," IEEE Trans. Comput., vol. 44, no. 
9, pp. 1131-1139, Sep 1995. 

[18] K. Nyberg, "S-boxes and round functions with controllable linearity and 
differential uniformity," in FSE, pp. 111-130, 1994. 

[19] M. Matsui, "Linear cryptanalysis method for DES cipher," Lecture Notes 
in Computer Science, vol. 765, pp. 385-397, 1994. 

[20] A. Selcuk and A. Bicak, "On probability of success in linear and 
differential cryptanalysis," SCN 2002, pp. 174-185, 2003. 

[21] C. H. Bennett, G. Brassard, C. Crpeau, and U. M. Maurer, "Generalized 
privacy amplification," IEEE Trans. Inform. Theory, vol. 41, pp. 1915- 
1923, Nov. 1995. 

[22] M. Matsui, "The first experimental cryptanalysis of the data encryption 
standard," Lecture Notes in Computer Science, vol. 835, pp. 1-1 1, 1994. 

[23] S. Ross, "Introduction to probability models," University of Southern 
California, Academic Press, Tenth Edition, ISBN: 978-0-12-375686-2, 
2010. 

[24] S. Yu, Z. Liu, M. Squillante, C. Xia, and L. Zhang, "A hidden semi- 
markov model for web workload self-similarity," 2Ist IEEE Interna- 
tional Performance, Computing, and Communications Conference, pp. 
65-72, 2002. 

[25] A. J. Goldsmith and P. P. Varaiya, "Capacity, mutual information, and 

coding for finite-state markov channels," IEEE Trans. Inform. Theory, 

vol. 43, pp. 868-886, May 1996. 
[26] T. HoUiday, A. Goldsmith, and P. Glynn, "Capacity of finite state markov 

channels with general inputs," Proceedings of the IEEE International 

Symposium on Information Theory 289, 2003. 
[27] H. S. Wang and N. Moayeri, "Finite-state markov channel: A useful 

model for radio communication channel," Proc. IEEE Veh. Tech. Conf. 

(VTC), vol. 44, pp. 163-171, Feb 1995. 
[28] M. Mushkin and I. Bar-David, "Capacity and coding for the Gilbert 

Elliot channel," IEEE Trans. Inform. Theory, vol. 35, pp. 1277-1290, 

1989. 

[29] A. Lapidoth and I. E. Telatar, "The compound channel capacity of a 
class of finite-state channels," IEEE Trans. Inform. Theory, vol. 44, pp. 
973-983, 1998. 

[30] Y. Sankarasubramaniam, A. Thangaraj, and K. Viswanathan, "Finite- 
state wiretap channels: Secrecy under memory constraints," Information 
Theory Workshop, 2009. ITW 2009. IEEE, pp. 115 -119, Oct. 2009. 

[31] L. H. Ozarow and A. D. Wyner, "Wire-tap channel II," Bell System 
Technical Journal, vol. 63, no. 10, pp. 2135-2157, Dec 1984. 

[32] M. V. Dijk, "On a special class of broadcast channels with confidential 
messages," IEEE Trans. Inform. Theory, vol. 43, pp. 712-714, Mar 1997. 



